The Internet may be used for many forms of communication, including voice conversations, video conferencing, development collaboration, and the like. In order for a manufacturer's programs, applications, equipment, and systems to be interoperable with each other, many protocols have been developed to standardize the communication between such systems. These protocols have grown increasingly complex to handle all the types of traffic generated to facilitate communication for video conferencing, voice over Internet Protocol (VoIP), and data over Internet Protocol applications. Two such prominent protocols are H.323 from the International Telecommunication Union—Telecommunication Standardization Sector (ITU-T) and the Session Initiation Protocol (SIP) from the Internet Engineering Task Force (IETF). Both H.323 and SIP typically allow for multimedia communication including voice, video, and data communications in real-time. In addition to H.323 and SIP, there are various other types of communication protocols, such as HTTP, HTTPS, FTP, TFTP, SSH, TELNET and SNMP. These different protocols may be utilized by a management system for managing endpoint communication devices. For instance, HTTP may be used for communicating scheduling information and FTP may be used for communicating software updates to endpoint devices, and SNMP may be used for pinging an endpoint device to determine whether it is operational (or to otherwise query an endpoint device for information).
In Internet Protocol (IP) communication networks, devices or endpoints on the network are identified by their respective IP address. Applications and programs on the different devices further identify each other using port numbers. A port number is a sixteen bit integer, the value of which falls into one of three ranges: the well-known ports, ranging from 0 through 1023; the registered ports, ranging from 1024 through 49151; and the dynamic and/or private ports, ranging from 49152 through 65535. The well-known ports are reserved for assignment by the Internet Corporation for Assigned Names and Numbers (ICANN) for use by applications that communicate using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and generally can only be used by a system/root process or by a program run by a privileged user. The registered ports may be registered for use by companies or other individuals for use by applications that communicate using TCP or UDP. The dynamic or private ports, by definition, cannot be officially registered nor are they assigned. Both the H.323 and SIP standards use multiple, well-known, registered, and/or dynamic ports in order to facilitate such communication.
H.323 and SIP each rely on multiple other protocols, some of which may in turn rely on UDP for sending and receiving multimedia traffic. UDP features minimal overhead compared to other transport protocols (most notably TCP) at the expense of having less reliability. UDP does not provide for guaranteed packet delivery nor data integrity. UDP does offer the highest possible throughput, thus, making it ideally suited for multimedia real-time communications.
Multimedia communications traffic will most likely have to traverse a firewall at some point during transmission, especially over the Internet, regardless to which protocol the traffic conforms. Firewalls are used in modern networks to screen out unwanted or malicious traffic. Disparate networks, such as different local area networks (LANs), are typically protected by a firewall that restricts certain externally-originated communication from entering the protected network. That is, the firewall of a given LAN may block certain traffic to minimize the risk of allowing malicious traffic into the LAN. Accordingly, multimedia communications traffic will most likely have to traverse a firewall at some point during transmission, especially over the Internet, regardless to which protocol the traffic conforms. Firewalls are used in modern networks to screen out unwanted or malicious traffic. It should be understood that, as used herein, a “firewall” may refer to any piece of equipment or device that is configured to restrict certain externally-originated communication from entering the protected network. As one example, a firewall may be implemented via an access control list and/or rules deployed on a router or other device. Of course, a firewall may be achieved through implementation of any access control device that restricts certain traffic from entering and/or exiting the protected network.
One of many techniques a firewall may use is packet filtering, wherein the firewall determines whether or not to allow individual packets by analyzing information in the packet header (such as the IP address and port of the source and destination). Thus, various ports or IP addresses may be blocked to minimize the risk of allowing malicious traffic into an important computer network or system. Another more advanced technique is called stateful inspection, where in addition to analyzing header information, a firewall keeps track of the status of any connection opened by network devices behind the firewall. Deciding whether or not a packet is dropped in a stateful inspection is based on the tracked status of the connection and information from within the packet header. In practice, firewalls (especially those used by large corporations) generally only allow traffic from the well-known ports, though such firewalls may be specially configured to allow traffic on any port. For multimedia communication systems that use multiple registered and dynamic ports, firewalls (unless specially configured) will generally block the data traffic on these ports between multimedia systems, thus preventing communication.
Video conferencing endpoints generally use multiple dynamic ports for the transmission of communication data packets and, as such, each port used necessitates opening that port on a firewall. Additionally, different endpoints participating in different conversations use different sets of ports, further increasing the number of ports to be opened on a firewall. Reconfiguring ports on a firewall is a time consuming task that introduces the risk of human error, which may defeat the purpose of the firewall by leaving a network vulnerable to malicious attacks. Furthermore, even though these dynamic ports should be closed after the communication ends, in practice, once a firewall port is open, it remains open because the firewall technicians typically do not expend the additional time resources to close the ports.
Additionally, many video conferencing systems do not support encryption. In such cases, the communication between endpoints is not secure and may be intercepted while being transmitted across the Internet.
Existing video conferencing systems such as TANDBERG's BORDER CONTROLLER™, a component of TANDBERG's EXPRESSWAY™ firewall traversal solution, requires the use of TANDBERG Gatekeepers or TANDBERG traversal enabled endpoints. While allowing firewall traversal, the EXPRESSWAY™ solution still requires user intervention to select and trust a range of ports on a firewall and requires the purchase of TANDBERG equipment to use existing legacy video conference endpoints that are not traversal-enabled. The V2IU™ series of products from Polycom, Inc., are Application Level Gateways (ALG) that act as protocol-aware firewalls that automate the selection and trusting of ports, but as such, multiple ports are still used when sending traffic between endpoints with the risk of having such traffic being blocked by a non-protocol-aware firewall. Further, such an ALG does not provide for secure communication. The PATHFINDER™ series of products from RadVision, Ltd., provides for firewall traversal via multiplexing to a single port, but still requires opening a port on a firewall. Multiplexing is implemented by taking sections of data from each of the data streams coming through the various ports and placing them alternately into a single stream. Thus, the resulting stream is simply a train of interleaved data bits that are not recognized as any particular communication protocol. At the destination end point, a packet constructor picks each data bit and places it in the appropriate stream on the appropriate port and rebuilds the original stream.
Similar systems have been implemented for voice, VoIP, and data over IP communication systems. Each either relies on a proprietary system or equipment or relies on actually selecting and opening multiple ports in a firewall that could leave the underlying network vulnerable to malicious electronic attacks.